[Pdns-users] Only REFUSED responses after upgrade.
pdns at cbserviceslondon.com
Tue May 28 18:25:09 UTC 2019
(This may be a duplicate, but probably not, as I realized I sent it the
first time before I confirmed my subscription to the mailing list....)
I have a private DNS server on PowerDNS that is used for a remote
It's not publicly accessible, and uses a domain name (remote.local) that
can't be Internet routed.
It uses the gMySQL backend to MySQL on a different host, with a script
that parses an OpenVPN status file and updates the DNS records as
This part isn't the issue, and works just fine.
This DNS server has been running on Debian 7 Wheezy for years without
Debian 7.11 packaged PowerDNS 2.9.22.
Since Debian 7 is well out of support, I wanted to update this server to
a supported version.
I upgraded to Debian 8 Jessie, which uses PowerDNS 3.4.1.
Immediately all DNS queries to this server started returning REFUSED.
At first I thought it wasn't connecting to the database, as the host
command returned nothing at all. The startup log info for pdns-server,
though, clearly shows the database connection is made successfully.
Dig, however, returns a REFUSED status for every query given, even if
queried from the DNS server itself.
It doesn't matter if it's a domain that pdns is supposed to be
authoritative for, or not.
One thing I did note was that every dig query said
# WARNING: Recursion requested but not available.
I assumed my issue was a new security feature, so did a bunch of
As a result, I've tried setting the 'allow-recursion' directive to my
entire class B network (172.16.0.0/16).
Now the recursion warning has disappeared, but it still has a REFUSED
status for the queries.
master is enabled in the configuration, along with the webserver, but
I'm pretty sure there are no other changes.
I can post the entire configuration if necessary.
The webserver stats interface says that all queries are for domains that
pdns is _not_ authoritative for, even though the zone type is set to
'master' in the database for my remote.local domain.
I tried setting up a test PowerDNS server on an OrangePi I've been
playing with, and got it working, on Debian 9 (PowerDNS 4.0.3), but with
a local MySQL server, rather than another host.
At this point I figured there may be a bug in something in Debian 8, so
I upgraded the DNS server to Debian 9, too.
Still no dice.
I've compared the configurations of the two, and can't find any
difference between the OrangePi and the live DNS server, other than the
obvious MySQL host changes, and the fact that it's running on ARM,
rather than x86.
I even tried copying the entire configuration from the functional ARM
one to the broken x86 one, with the exception of the gmysql backend
configuration, and it _still_ fails with the same REFUSED.
Incidentally, it's running on a VirtualBox VM on top of another Debian
7.11 host that I'm also going to upgrade. I don't think that should
make a difference, but figured I'd add it.
I've read a bunch of documentation on powerdns.com, and a number of
Google searches on variations of "powerdns refused all queries" and
haven't found anything that I haven't already tried.
Am I missing something small and stupid that needs to be done during the
upgrade from 2.x to 3.x?
Now, just before I sent this, I reconfigured the functional ARM machine
to use the off-host database server that my live PDNS server is using,
and now it's returning REFUSED for every query.
The DB server is also still running Debian 7.11, so it's on my schedule
to update. Is this a database problem, or is there a bug in the gmysql
backend in 3.x+ that breaks queryies to remote hosts?
Thanks in advance,
More information about the Pdns-users